Vulnerability Management

  • Determine the relevant risks to the environment. Understand what the CSC’s cloud is used for, for e.g. storage or financial transactions.

  • Identify what vulnerability scanning tools the CSC uses for their cloud services, either from their CSP, a third-party, or both.

  • Check if scanning tools are being used, how tools are being used, and if the tools and its outputs are reliable.

  • Review the output.

    • Determine if the output match the compliance requirements.

    • Understand what the CSC is doing with the output.

    • Understand if the output is reviewed by management.

    • Understand if the output addressing relevant risk(s).

  • Review lessons learned and ensure the CSC has addressed any findings in a timely manner.

  • Understand the CSC’s approach to patching. Understand if the CSC is automatically accepting CSP forced patches or manually accepting them.

  • Ask how the CSC is hardening their images and keeping them up-to-date, as the CSP is not responsible forit.

  • Ask for documentation on how the CSC prioritizes and ranks vulnerabilities and SLAs.

    • Moved where the environment exists? It could be in scope now when it wasn’t before.

    • Understand what protections (tools, technology, SLAs) the CSC has in place and how they are testing those since those are different now that the CSC is in the cloud.

    • Understand how the CSC categorizes these protections.

  • Ask how the CSC manages penetration testing, as it requires working with the CSP. Understand if they are doing it or not doing it because of the extra notification and coordination overhead.

  • Assess what their vulnerability management looks like in their cloud environment. Understand if the controls are actually remediating the risk. Some best practices that should be present:

    • Patch management strategy – controlling how info comes into the environment

    • Proactive detection – pen testing

    • Virus detection

    • Border definition

  • Confirm penetration testing has been completed.

  • Verify cloud services are included within an internal patch management process.

  • Assess the implementation and management of antimalware for compute instances in a similar manner as with physical systems

PreviousConfiguration ManagementNextMonitoring and Logging

Last updated